Re: Trust chaining & finer-grained CA trust

• To: Tom Weinstein <tomw@netscape.com>
• Subject: Re: Trust chaining & finer-grained CA trust
• From: Ray Sarna <lpuadm@leonardo.net>
• Date: Fri, 07 Feb 1997 18:01:05 -0800
• Cc: Pat Richard <patr@xcert.com>, Mark Shuttleworth <marks@thawte.com>, Dan Hurley <hurley@att.com>, SSL-Talk <ssl-talk@netscape.com>, Christopher Allen <ChristopherA@consensus.com>, ietf-tls@w3.org, Win Treese <treese@OpenMarket.com>, "Jeffrey I. Schiller" <jis@MIT.EDU>
• From ietf-tls-request@www10.w3.org Fri Feb 7 21: 04:37 1997
• Message-Id: <1.5.4.32.19970208020105.009a2d04@leonardo.net>
• X-List-URL: http://lists.w3.org/Archives/Public/ietf-tls
• X-Mailer: Windows Eudora Light Version 1.5.4 (32)
• X-Sender: lpuadm@leonardo.net

Is Pat Richard enquiring re: what I interpret to be a grab for exclusive
power?  Is that "monopoly?"  Does that retain the inner-sanctum idea of
"open platform?"

Is winning a monopoly relevant?  Is this group not seeking the most
competent long-term resolution, irrespective of toolkit or patent control?

Should there be an additional period of time...2 weeks or a month, during
which to reflect on what is being driven home at this moment?

If this group were to express a desire for an extension of time and/or a
reconsideration of the proposal, who has the ultimate decision power?  The
individual at the outfit that will win the monopoly or someone else?

Is this the appropriate place to suggest a call for such a vote?  Do I have
the right to ask?

Ray Sarna


At 04:29 PM 2/7/97 -0800, you wrote:
>On Fri, 7 Feb 1997, Tom Weinstein wrote:
>
>> Mark Shuttleworth wrote:
>> > 
>> > Hiya
>> > 
>> > Perhaps I missed this bit,  but surely the UI on the browser should
>> > put big flashing warnings up before letting the user accept a
>> > chainable CA cert?
>> 
>> Nope.  If the CA issues a cert with the correct extension for the
>> navigator to trust it as a CA, we assume that they are delegating
>> issuing authority.  VeriSign uses this so that they can have multiple
>> CAs that actually issue certs descended from a single root CA that
>> just issues CA certs.
>> 
>> This makes a lot of sense from a security perspective.  The keys that
>> issue certs get used a lot, so they are most vulnerable to attack.  If
>> you expire them frequently and keep the only copy of the root key locked
>> up in a vault, for example, you reduce your exposure.
>> 
>
>Actually, it doesn't, with the respect to the question of this entire 
>thread, which is "Fine Grained Trust".
>
>By delegating authority with chains you end up with a PKI (all CA's
>participating in a chain with a single root) that either:
>
>1) forces all CAs to accept the "LCD" (lowest common denominator)
>with respect to trust (i.e. if a CA with low assurance is in the chain,
>then all CA's in that chain now have low assurance)
>
>or
>
>2) force all CAs in that chain to be 100% compliant with the root
>CA's vetting policy, which is un-manageable and does not reflect
>real-world trust models.
>
>Alternatively, use a model where the CA's policies and signed and
>you have policy chains rather than CA cert chains.
>
>This way trust is not absolute and can actually exhibit "fine grained"
>features, like a PKI that can determine the assurance level of the
>2 parties involved.
>
>> -- 
>> You should only break rules of style if you can    | Tom Weinstein
>> coherently explain what you gain by so doing.      | tomw@netscape.com
>> 
>
>----
>Pat Richard
>patr@x509.com
>
>
>

• Prev: Re: NEW DRAFT: Regularizing Port Numbers for SSL.
• Next: Re: NEW DRAFT: Regularizing Port Numbers for SSL.
• Index: Message index of ietf-tls@w3.org mailing list
• Thread: Thread index of ietf-tls@w3.org mailing list